As more and more computers and other computing devices are inter-connected through various networks, such as the Internet, computer security has become increasingly more important, particularly, the prevention of attacks delivered over a network. As those skilled in the art will recognize, these attacks come in many different forms, including, but not limited to, computer viruses, computer worms, system component replacements, denial of service, even misuse and abuse of legitimate computer system features, all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will realize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all of these attacks will be generally referred to hereafter as malware.
When a computer system is attacked or “infected” by malware, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computer system; or causing the computer system to crash. Yet another pernicious aspect of malware is that an infected computer system is used to infect other computers.
FIG. 1 is a pictorial diagram illustrating an exemplary networked environment 100 over which malware can be commonly distributed. As shown in FIG. 1, the typical exemplary networked environment 100 may include a plurality of computer systems 104-116 inter-connected via a communication network 102, such as an intranet or via a larger communication network including the global TCP/IP network commonly referred to as the Internet. For whatever reason, a malicious party on computer 116 connected to the network 102, develops malware 118, and releases it on the network 102. The malware 118 is received by, and infects, one or more of the computer systems 106-112. As is typical with most malware, once infected, one computer is used to infect other computers, which in turn infects yet other computers. Clearly, due to the speed and reach of the modern computer networks, a piece of malware 118 can “grow” at an exponential rate, and quickly become a local epidemic that quickly escalates into a global computer pandemic.
Malware can also leverage a computer system's features in an attack. Thus, operating system providers must now, for economic and contractual reasons, continually analyze their operating system functions to identify weaknesses or vulnerabilities that may be exploited through malware. For purposes of the present discussion, any avenue by which malware may attack a computer system will be generally referred to as a computer system vulnerability, or simply a vulnerability.
As vulnerabilities are identified and addressed in an operating system, or other computer system components, the provider will typically release a software update to remedy the vulnerability. The system provider will typically make available the necessary updates from an update server that is maintained by a trustworthy source. The update server, such as update server 104, is also communicatively connected to the network 102 to which all other computer systems 106-114 are connected. The updates, frequently referred to as patches, are meant to be installed on a computer system by the user in order to secure the computer system from the identified vulnerabilities. However, these updates are, in essence, code changes to the components of the operating system, device drivers, or software applications. Because these updates are code changes, the software updates require substantial in-house testing prior to being released to the public.
Under the current system, there is a period of time, referred to hereafter as a vulnerability window, that exists between when new malware is released on the network 102 and when a computer system is updated to protect against it. As the name suggests, it is during this vulnerability window that a computer system is vulnerable, or at risk to becoming infected to the newest malware. FIGS. 2A-2C are block diagrams of exemplary timelines 200, 220, and 232, illustrating possible vulnerability windows.
In FIG. 2A, an operating system provider identifies the presence of a vulnerability in the released operating system at event 202. For example, in one scenario, the operating system provider, performing its own internal analysis of a released operating system, uncovers a previously unknown vulnerability that could be used to attack a computer system. In an alternative scenario, the previously unknown vulnerability is discovered by third parties, including organizations that perform system security analyses on computer systems, and relays information regarding the vulnerability to the operating system provider.
Once the operating system provider is aware of the presence of the vulnerability, the operating system provider addresses the vulnerability at event 204, which leads to the creation and release of a patch to secure any computer systems running the vulnerable operating system. Typically, an operating system provider will make some type of announcement that there is a system patch available, along with a recommendation to all operating system users to install the patch. The patch is usually placed in a known location, such as update server 104 on the network 102, shown in FIG. 1, for downloading and installation onto vulnerable computer systems.
Unfortunately, as happens all too often, after the operating system provider releases the patch, a malicious party downloads the patch and, using some reverse engineering, as well as any information made public by the operating system provider or others, identifies the specifics regarding the “fixed” vulnerability in the operating system at event 206. Using this information, the malicious party creates new malware to attack the underlying vulnerability. Alternatively, an attacker develops an exploit for the vulnerability independently of examining the update or patch. At event 208, the malicious party releases new malware onto the network. While the goal of issuing a software patch is to correct an underlying vulnerability, the patch is often a complex piece of software code which itself, unfortunately, may create or contain a new vulnerability that could be attacked by malware created by a malicious party. Thus, in addition to evaluating what the patch corrects, the patch is also evaluated for potential vulnerabilities.
While a patch is available to computer system users, the malicious party realizes that, for various reasons including those described above, not every vulnerable computer system will be immediately upgraded. Thus, at event 208, the release of malware opens a vulnerability window 212, in which the vulnerable computer systems are susceptible to this malware. Only when the patch is finally installed on a computer system at event 210, is the vulnerability window 212 closed for that computer system.
Malware may also be released on the network that takes advantage of a previously unknown vulnerability in the operating system. FIG. 2B illustrates a vulnerability window 230 with regard to a timeline 220 under this scenario. Thus, as shown on timeline 220, at event 222, a malicious party releases new malware that takes advantage of a previously unknown vulnerability in the operating system. As this is new malware, there is no operating system patch available to protect vulnerable computer systems from the attack. Correspondingly, the vulnerability window 230 is opened immediately after release of the malware.
At some point after the new malware is circulating on the network, the operating system provider detects the new malware at event 224. As those skilled in the art will appreciate, typically, the presence of new malware on the network can be detected within a matter of hours by the operating system provider.
Once the latest malware is detected, the operating system provider begins the process of analysis to determine whether the operating system must be patched to protect the computer system from the malware. As a result of this effort, at event 226, the operating system provider releases an update, i.e., a software patch, to the operating system that addresses the vulnerability. Subsequently, at event 228, the update is installed on a user's computer system, thereby protecting the computer system and bringing the vulnerability window 230 to a close.
Unfortunately, many users may consider themselves free from ever being vulnerable to any one specific piece of malware once an update has been installed on the computer system. In reality, however, even after the user has updated the computer system with all possible available updates, the computer system may become vulnerable once again to the same piece of malware that had, at one time, been rendered ineffective. In other words, a previously closed vulnerability window may open at a future time.
Referring to FIG. 2C, a previously closed vulnerability window may be reopened at a future time on timeline 232 whenever the computer system must revert, for whatever reason, to a computer system “state” corresponding to a time when the update is not installed on the computer system. In the normal course of events, a computer system is patch non-compliant at event 234 on timeline 232, and subsequently becomes patch compliant at event 236, closing the vulnerability window 240 as described above. However, at a future time, such as at event 238, a computer system may find it necessary to return under scenario 244 to a previous state, and could possibly revert to a state prior to event 236, but after event 234, which corresponds to a time when the computer system is not updated, thus reopening the previously closed vulnerability window 240 and placing the computer system at risk to attacks from the specific malware, which had at one time been rendered ineffective against the computer system. It is also possible that the computer system may revert under a different set of circumstances under scenario 246 to a secure state 242 after the vulnerability window 240 has been closed, or even before event 234, which corresponds to a time when the computer system is updated as fully as possible. The indeterminate nature of state changes poses concerns for some users of a computer system.
As can be appreciated from the discussion above, a vulnerability window can be reopened at a future time, and any piece of malware circulating on a network still poses a security threat to a computer system, even if the computer system was fully updated and patch compliant. The potential of placing the computer system at risk may be too great for a computer system user to accept since an infected computer may cost the computer's owner substantial amounts of money to “disinfect” and repair. This cost can be enormous when dealing with large corporations or entities that may have thousands or hundreds of thousands of computers connected to a network. Such a cost is further amplified by the possibility that tampering or destruction of customer data may ensue, which may be extremely difficult or impossible to trace and remedy. What is needed is a system and method for securing a computer system against malware in a proactive manner when a computer system event is about to occur that could potentially expose the computer system to a vulnerability. These, and other issues are addressed by the present invention.